Is your cloud service provider ready for HIPAA?

Is your industry’s compliance with the Health Insurance Portability and Accountability Act of 1996 covered in the cloud?

Thinkstock

With so many business sectors moving to the cloud we have to stop and ask: is your industry’s compliance framework covered in the cloud? In this case HIPAA! Gartner recently reported that expected cloud revenues were $260B in 2017 and go far beyond that projection in 2018 topping out at $411 B in 2020. So, it’s not a matter of if your moving to the cloud, it may just be the question of when.

First let’s be clear that there is not a HIPAA cloud service provider certification but with the proper implementation the following three major cloud service providers can provide a foundation for security and privacy in the cloud that meet the HIPAA requirements.

Amazon states it like this: There is no HIPAA certification for a cloud provider such as AWS. In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, a higher security standard that maps to the HIPAA security rule. NIST supports this alignment and has issued SP 800-66, "An Introductory Resource Guide for Implementing the HIPAA Security Rule," which documents how NIST 800-53 aligns to the HIPAA Security rule. Source AWS

This is called the shared responsibility model; the cloud service provider handles security of the cloud and your organization is responsible for security in the cloud. For example: the cloud service provider is responsible for protecting the infrastructure that runs all the services offered in their cloud. This infrastructure is composed of the hardware, software, networking and facilities that run cloud services. The customer responsibility will be determined by the cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For more on how this pertains to IaaS, PaaS and SaaS, see "Achieving compliance in the cloud."

It’s no secret that Google, Amazon and Microsoft Azure are the three top cloud service providers.

Google

Is Google HIPAA ready and can it be used safely and securely by HIPAA-covered entities and business associates for sharing PHI?

Google Encryption

HIPAA compliance states that, stored data must be encrypted. Data must also be encrypted during uploading and downloading. Google uses 128-bit or stronger Advanced Encryption Standard (AES) to protect data in transit to the platform, and between and in its data centers.

Google and most cloud service providers are business associates

The Department of Health and Human Services recent guidance states that cloud service providers are not – in the vast majority of cases – considered conduits, so the HIPAA Conduit Exception Rule does not apply. Instead, cloud service providers are classed as business associates. This means they must also comply with HIPAA if they are supporting that same line of business. See The HIPAA BAA for more info.

Google Docs

Google states that healthcare organizations covered by HIPAA Rules must not use G Suite in connection with PHI until a business associate agreement has been obtained. Once the BAA has been obtained, it is the responsibility of the covered entity or business associate using the service to ensure that HIPAA Rules are followed.

Amazon’s AWS and HIPAA

AWS encryption

HIPAA compliance states that, stored data must be encrypted. Data must also be encrypted during uploading and downloading. AWS- Amazon uses 256-bit or stronger Advanced Encryption Standard (AES) default to protect data in transit to the platform, and between and in its data centers.

AWS and most cloud service providers are business associates

This is the same for Google, Amazon and Azure. They are acting as business associates and you are only as strong as your weakest link. So, any business associate must meet the same standards you are using them to meet. Also, you can transfer work or a function to a business associate, but the liability and responsibility is still yours.

AWS Documents

AWS Work Docs is HIPAA eligible, which means with the proper implementation it can be HIPAA compliant. Amazon states:

You can manage access with Active Directory to take advantage of security groups, single sign-on (SSO), and multi-factor authentication (MFA), and track user and file activity in near real-time. You also control which third party applications users can access with OAuth 2.0, and use AWS CloudTrail to log API calls. WorkDocs is HIPAA eligible, PCI DSS compliant, meets ISO compliance requirements, and files on WorkDocs are encrypted in transit and at rest. With WorkDocs, you own your files. AWS does not access or use customer files for any purpose other than providing files to customers and their end users, and as legally required. You can specify which AWS Region stores user files to help maintain data locality requirements. WorkDocs runs on the world’s largest global cloud infrastructure, built to satisfy the requirements of our most security-sensitive customers.

Microsoft Azure and HIPAA

Azure encryption

HIPAA compliance states that, stored data must be encrypted. Data must also be encrypted during uploading and downloading. Azure uses 256-bit or stronger Advanced Encryption Standard (AES) to protect data in transit to the platform, and between and in its data centers.

Azure and most cloud service providers are business associates

This is the same for Google, Amazon and Azure. They are acting as business associates and you are only as strong as your weakest link. So, any business associate must meet the same standards you are using them to meet. You can transfer work or a function to a business associate but the liability and responsibility is always yours. Several versions of Office 365 are covered by Microsoft’s BAA. Those versions are:

Office 365

Office 365 U.S. Government

Office 365 U.S. Government Defense

Azure documents

Office 365 can also be configured to meet HIPAA. It’s much the same as the above Google and Amazon, it’s all in the implementation of access controls, permissions and so on.

The bottom line is that HIPAA requires your organization to meet the HIPAA Security and Privacy laws and the same applies to your Business Associates. This short article looked at three key areas of a Cloud Service Provider: 1 Encryption, 2 the BAA, Business Associate Agreement and finally the Document workspace such as Googles G Suite, Amazons Work Docs and Microsoft Azure Office 365.

The HIPAA Security rule covers Physical, Technical and Administrative controls and the HIPAA Privacy rule deals strictly with data privacy. Data privacy focuses on the ePHI, Electronic Protected Health Information and the same data that might be included in other forms such as, a printout or in any form including spoken or written communications.

George Grachis, a senior security and compliance specialist, has over 25 years’ experience in the tech sector. Some of his experience includes over a decade supporting the Space Shuttle program for Computer Sciences Corporation & Grumman Aerospace, security management for CFE Federal Credit Union, IT auditing & consulting for Deloitte and serving as Chief Security Officer for Satcom Direct. George holds both the CISSP, and CISA certifications. George received the ISSA fellow Designation in 2016 and is currently an active senior board member of ISSA.